Chainlink Pricefeeds are not checked for the latestTimestamp before using them. This can lead to the usage of stale pricefeeds.
Vulnerability Detail
According to the chainlink docs, one "should track the latestTimestamp variable or use the updatedAt value from the latestRoundData() function to make sure that the latest answer is recent enough for your application to use it". The protocol checks for sequencer state, and for roundId, but does not check when the price was last updated. This can lead to the protocol using stale values of the price oracle which can prevent a depeg trigger, or trigger premature depegs.
carrot
medium
Freshness of pricefeed not checked properly
Summary
Chainlink Pricefeeds are not checked for the
latestTimestamp
before using them. This can lead to the usage of stale pricefeeds.Vulnerability Detail
According to the chainlink docs, one "should track the
latestTimestamp
variable or use theupdatedAt
value from thelatestRoundData()
function to make sure that the latest answer is recent enough for your application to use it". The protocol checks for sequencer state, and for roundId, but does not check when the price was last updated. This can lead to the protocol using stale values of the price oracle which can prevent a depeg trigger, or trigger premature depegs.Impact
Stale chainlink pricefeed values.
Code Snippet
https://github.com/sherlock-audit/2023-03-Y2K/blob/main/Earthquake/src/v2/Controllers/ControllerPeggedAssetV2.sol#L273-L318
Tool used
Manual Review
Recommendation
Check the
updatedAt
value from the sequencer. If it is too old, revert or add some contingency.Duplicate of #70